During the Intake – we have designed your first X-Ray – already created a structure, by introducing icons and using symbols for flows between hardware, stakeholders and components. However, it can still be a bit of a labyrinth – complexity depending on the phase the Venture is in. So from the X-Ray (labyrinth) we are going to organize the compliance documentation on a ‘checkboard’ with Mandatory ISO27001 topics for every vertical list. That is why we organize separate conversations with Business and Tech; not to create brainstorm sessions, but to challenge each one on the topics that they are in charge of.
Strategy, Legal and IT Infrastructure – The first 3 topics. It is scary – and not only for the Ventures I can assure you. For us this is the moment that we need to prove that we can translate the complex world of Compliance into understandable choices for the Venture to make. The Strategy we address is the compliance strategy, that needs to support the Business Strategy and the Product Roadmap.
Strategy & Ambition – Most of our customers are young companies with huge ambitions and it is our job to challenge the Business strategy by asking the right compliance questions. We follow your business strategy and explain what the compliance consequences are or could become. We make use of our experience and give general examples of likeminded customers – it is always up to you to decide what choices you make.
Legal – We do see a lot of young companies struggling with this topic, when starting a business, you are focussed on Pilots and Proof of Concepts, getting your first customers and develop your Minimum Viable Product. You cannot afford expensive layers to setup legal frameworks – and probably your (corporate) customer will provide your first contracts. So, in this phase we support you with structure in your contracts, Privacy templates and a GDPR assessment, delivering suggestions for improvements.
IT Infrastructure – This should be a piece-of-cake for the CTO, and most of the times it is, as we already have an X-Ray of the entire IT infrastructure designed. Furthermore, our experience is that most CTOs are quite knowledgeable about cybersecurity topics and if not, they probably have outsourced the job with a professional party. However, the one thing that Tech People do not excel in is story telling; meaning that when asked they always underestimate the work they already performed, assuming that what they do is not good enough. This is exactly the reason that I like working with young Smart Tech Companies – I think most of them work already (at least) 70% compliant, they are just not aware of that. So, our job in the 5DII Program is to share knowledge and together create the evidence that is needed to become ISO27001 compliant. The 5DII is most of all a security awareness training for the CEO/COO and CTO.